Colonial Pipeline Ransomware Attack: Revealing How DarkSide Works


Alexey Kleymenov

Throughout the last two weeks, the entire cybersecurity community has been riveted by the Colonial Pipeline ransomware attack. It is one of the most notable attacks on critical infrastructure of the past few years and has directly and indirectly impacted multiple industries in the U.S economy. Thankfully, operations are up and running after an approximately week-long outage and reported payment of a $5 million ransom.

DarkSide, the Ransomware as a Service (RaaS) deployed against Colonial Pipeline, is a good example of similar malware attacking organisations around the globe. Carefully prepared and deployed, it uses a combination of techniques to successfully extort its victims.

Nozomi Networks Labs has studied the internals of the DarkSide executable and we’re sharing our findings to reveal the techniques used by its machine code in three areas: the selection of victims and files, ensuring anonymity and anti-detection, and preventing data restoration. We also provide IoCs (indicators of compromise) and decryption script to help you detect DarkSide.

It’s important to remember that the sum of Darkside’s code translates to devastating consequences in the physical world. We encourage you to understand DarkSide’s techniques to help you assess both your own defences and your incident response capabilities.

 DarkSide Ransomware: Technical Analysis

 Victim Validation

The malware first collects basic information about its victim’s computer systems to learn the details of the technical environment.

The malware obtains the affected computer’s name.
DarkSide collects the victim’s basic system information.

In addition, it skips victims from certain geographical regions by checking the language used by their systems. (Notably, DarkSide does not attack systems that use Russian or other Eastern European languages.)

The ransomware checks if the system language is the one used in CIS countries.

 Selection of Files for Encryption

Next, DarkSide determines what files to encrypt. If malware attempts to encrypt all the files available on the system, it quickly makes the system unusable – and leaves the victim without information on how to contact the attackers. In addition, it takes significantly more time to do the encryption than is needed for the purposes of executing the attack. DarkSide is particularly selective about what files it encrypts, selecting them mainly by examining their file directories, file names and file extensions.

The list of directories, file names and file extensions skipped during the encryption.


To remain anonymous and prevent prompt shutdown, websites for contacting ransomware threat actors are hosted in the Tor network.

A section of DarkSide’s instructions describing how to access the Tor-based website.

 Anti-Detection Techniques

To stay under the radar until the victim’s systems are impacted, DarkSide incorporates various commonly used techniques.


Most of the Darkside’s critical strings are encrypted to avoid triggering detection.

The XOR-based decryption algorithm.

For the same reason, the malware’s main configuration is also encrypted. It is compressed with aPLib, with individual configuration values encoded with a Base64 algorithm.

Decryption and decompression of the configuration block.
Base64-encoded configuration values in the malware.

 Dynamic API Resolution

WinAPIs are the standard way programs interact with the Windows operating system to access certain functionality, including file and network operations. Therefore, use of these interfaces quickly reveals the actual purpose of the malware to security systems.

To prevent detection, DarkSide does not immediately have all the APIs used available in the import table, as legitimate executables do. Instead, it resolves them dynamically before using them, some by hashed names and some by encrypted names.

The dynamic WinAPI resolution used by DarkSide.

 Preventing Data Restoration

If system administrators could quickly and easily restore the affected data without paying money to criminals, ransomware attacks would not succeed. The authors of DarkSide incorporate multiple techniques to ensure ransom is paid.

 Dealing with Backups

Ransomware makes sure that standard backup solutions are unusable on the targeted machines. Windows has a feature called Shadow Copy aimed at dealing with such situations. It allows the creation of backup copies of computer files so they can be restored when needed. The main limitation of this approach is that the backup files are stored on the same system as the original files. If malware compromises the system, the backup files are readily deleted.

The commands used to get a list of Shadow Copy backups.

In addition, the malware can search for backups by name:

The ransomware’s search for and deletion of backups.

Finally, DarkSide attempts to disable various backup solutions, searching for them by name.

The list of services to terminate from the embedded configuration.

The process DarkSide uses to stop and delete backup-related services.

 Correct Use of Symmetric and Asymmetric Encryption

Many first generations of ransomware lacked proper encryption, which made it possible for victims to recover files on their systems for free. Unfortunately, those days are long gone, and modern malware families do not repeat this mistake.

The main difference now is that symmetric encryption has been enhanced with focused use of asymmetric encryption. The former uses the same secret key for both encrypting and decrypting the data, therefore intercepting it is enough to restore access to the data.

On the other hand, asymmetric encryption uses a notion of private and public keys. While the encryption is done using a public key, the decryption is impossible without a private key. DarkSide malware implements this functionality properly by only embedding the public key in the malware and keeping the private key confidential.

The main disadvantage of asymmetric encryption over symmetric is the encryption speed. To get the best of both worlds, the authors of DarkSide encrypt victims’ files using a symmetric encryption algorithm (Salsa20 with a custom matrix) and then encrypt the corresponding symmetric keys with their asymmetric public key (RSA-1024).

The symmetric Salsa20 encryption algorithm with a custom matrix.

 DarkSide Demonstrates Modern Ransomware Techniques

DarkSide is just one example of a modern ransomware family that combines multiple time-tested techniques to achieve its goal. It also highlights the effectiveness of the RaaS model, which is gaining in popularity. With this model, multiple parties are involved in each attack, with a division of effort that plays to the strengths of each party.

With RaaS, experienced malware writers focus on the development of the core ransomware code, leaving deployment to affiliates who specialise in gaining access to the networks of targeted organisations. In the case of DarkSide, it is estimated that their more than 40 victims have paid $90 million in total bitcoin, with $15.5 million going to the development group and $74.7 million going to its affiliates.